cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1119
Views
2
Helpful
11
Replies

How can i block Mobile phones on my FTD "not FMC"

arvind
Level 1
Level 1

We've configured DHCP on FTD and all the users are getting internet via DHCP ip and we want this to be blocked for MOBILE users.

Please suggest how we can achieve this.

Thank You in advance.

11 Replies 11

Can you more elaborate'

You have FTD and you use FDM not FMC ?

How user use dhcp to access internet?

Thanks

MHM

arvind
Level 1
Level 1

Just wanna know if there is any possible way to block MOBILE Phones so they won't be able to access internet.

We're using FDM.

Internet link is terminated on Firewall

DHCP is configured on Firewall interface which is connected to switch 

LAN to WAN policy is configured

Users > AP > Switch > FTD (locally manage) > Internet 

Users are getting the IP from Firewall via AP's SSID and Switch as DHCP is configured on firewall's Interface which is connected to Switch. 

here we want to block mobile phone users.

We've gone through multiple forums and articles and confirmed that Mac address base address configuration is not supported by CISCO FTD now.

 

Kindly address the solution how we can achieve this or its not possible.

 

I never tested this but here are my thoughts,

FTD FDM or from FMC the process is the same.

To block internet access for mobile users while allowing other users to obtain IP addresses via DHCP on FTD (Firepower Threat Defense), you can use an access control policy. Here's a step-by-step guide:

Log in to the FTD management console or ASDM (Adaptive Security Device Manager).
Navigate to the "Policies" section or the area where access control policies are configured.
Create a new access control policy or edit an existing one that is applicable to the network traffic you want to control.

In the policy, create a new rule specifically for blocking internet access for mobile users.
Define the source criteria for mobile users. This could be based on IP address range, MAC address, or any other identifier that distinguishes mobile users from other users.


Specify the destination criteria for internet access, such as the IP range or domain names that you want to block.


Set the action for the rule to "Deny" or "Block" to prevent mobile users from accessing the specified destinations.


Configure the rule's position within the policy to ensure it is evaluated before any rules that allow internet access for other users.


Save the policy configuration.


With this setup, when a mobile user attempts to obtain an IP address via DHCP, they will be assigned an IP address but will be blocked from accessing the internet based on the access control policy rule you created.

please do not forget to rate.

arvind_0-1684485626948.png

MAC address base address configuration is not possible and we cannot block FQDN

the way you have set up your network in given circumstance it would be very difficult to acheive what you want to do. Unless otherwise If you using Cisco Identity Service Engine to Interate your Firewall with it and with this you can create a policy to allow access to your mobile devices. hence I assume if you do not have ISE it would be difficult to make this work.

 

please do not forget to rate.

you have phone get IP from the DHCP, only make phone in specific VLAN and get specific IP from DHCP server and then deny this subnet to access ANY,
i.e.
permit phone subnet  to other subnet 
deny phone subnet to ANY 

@Sheraz.Salim is it possible to achieve this without ISE

this Q not for me I think 
and make it simple friend no need complicate 

unless you change your design. for example create new SSID or vlan and from their/that vlan create a dhcp and your mobile devices get this ip address/es from this VLAN. but again how shall we can convince the mobile user to use the Mobile phone SSID.

so I do not thing so it possible.

please do not forget to rate.

davidjohnson
Level 1
Level 1

To block mobile phones on your FTD (Firepower Threat Defense) without using FMC (Firepower Management Center), you can follow these steps:

1. Identify the MAC addresses of the mobile phones you want to block. You can typically find this information in the device settings or through the DHCP lease information.

2. Log in to the FTD device using the CLI (Command Line Interface) or SSH.

3. Enter privileged EXEC mode by typing `enable` and providing the appropriate password.

4. Access configuration mode by typing `configure terminal`.

5. Create an access control policy to block the mobile phones by entering the following command:
```
access-list <policy-name> extended deny any host <mobile-MAC-address>
```

Replace `<policy-name>` with a name for your access control policy and `<mobile-MAC-address>` with the MAC address of the mobile phone you want to block.

6. Apply the access control policy to the inbound traffic on the interface where the DHCP server is connected:
```
access-group <policy-name> in interface <interface-name>
```

Replace `<policy-name>` with the name of your access control policy and `<interface-name>` with the name of the interface connected to the DHCP server.

7. Repeat steps 5 and 6 for each mobile phone MAC address you want to block.

8. Save the configuration by typing `write memory` or `wr mem` to ensure the changes persist after a reboot.

By implementing these steps, you should be able to block mobile phones from accessing the internet through DHCP on your FTD device. However, please note that it's important to carefully consider the impact and legality of blocking mobile phones on your network, as it may have legal and ethical implications.

 

Regards;

David Johnson.

@davidjohnson is this another one of your AI chatbot copy/paste answers?
As already explained that is not in the spirit of these communities.
Share your knowledge/expertise if you know the answers or can help but don't fill these forums with waffle you've copied from a search/query result.

Review Cisco Networking for a $25 gift card